Summary
In a default installation of Oracle 9iAS, it is possible to access SOAP documentation. These files might be useful for an attacker to determine what application server is being used.
Solution
Remove the 'soapdocs' alias from the Oracle 9iAS http.conf:
Alias /soapdocs/ $ORACLE_HOME/soap/docs/
Note that the default installation of Oracle 9iAS 1.0.2.2 does not seem to suffer this issue.
More information:
http://otn.oracle.com/deploy/security/pdf/ias_soap_alert.pdf http://www.cert.org/advisories/CA-2002-08.html
Also read:
Hackproofing Oracle Application Server from NGSSoftware:
available at http://www.nextgenss.com/papers/hpoas.pdf
Severity
Classification
-
CVSS Base Score: 5.0
AV:N/AC:L/Au:N/C:P/I:N/A:N
Related Vulnerabilities
- AbanteCart Multiple Cross-Site Scripting Vulnerabilities
- Apache ActiveMQ Source Code Information Disclosure Vulnerability
- Apache Struts Showcase Multiple Persistence Cross-Site Scripting Vulnerabilities
- Apache Solr Directory Traversal Vulnerability Jan-14
- Apache Tomcat SecurityConstraints Security Bypass Vulnerability